18 Apr, 2019
3 commits
-
Some public key algorithms (like EC-DSA) keep in parameters field
important data such as digest and curve OIDs (possibly more for
different EC-DSA variants). Thus, just setting a public key (as
for RSA) is not enough.Append parameters into the key stream for akcipher_set_{pub,priv}_key.
Appended data is: (u32) algo OID, (u32) parameters length, parameters
data.This does not affect current akcipher API nor RSA ciphers (they could
ignore it). Idea of appending parameters to the key stream is by Herbert
Xu.Cc: David Howells
Cc: Denis Kenzior
Cc: keyrings@vger.kernel.org
Signed-off-by: Vitaly Chikunov
Reviewed-by: Denis Kenzior
Signed-off-by: Herbert Xu -
Treat (struct public_key_signature)'s digest same as its signature (s).
Since digest should be already in the kmalloc'd memory do not kmemdup
digest value before calling {public,tpm}_key_verify_signature.Patch is split from the previous as suggested by Herbert Xu.
Suggested-by: David Howells
Cc: David Howells
Cc: keyrings@vger.kernel.org
Signed-off-by: Vitaly Chikunov
Reviewed-by: Denis Kenzior
Signed-off-by: Herbert Xu -
Previous akcipher .verify() just `decrypts' (using RSA encrypt which is
using public key) signature to uncover message hash, which was then
compared in upper level public_key_verify_signature() with the expected
hash value, which itself was never passed into verify().This approach was incompatible with EC-DSA family of algorithms,
because, to verify a signature EC-DSA algorithm also needs a hash value
as input; then it's used (together with a signature divided into halves
`r||s') to produce a witness value, which is then compared with `r' to
determine if the signature is correct. Thus, for EC-DSA, nor
requirements of .verify() itself, nor its output expectations in
public_key_verify_signature() wasn't sufficient.Make improved .verify() call which gets hash value as input and produce
complete signature check without any output besides status.Now for the top level verification only crypto_akcipher_verify() needs
to be called and its return value inspected.Make sure that `digest' is in kmalloc'd memory (in place of `output`) in
{public,tpm}_key_verify_signature() as insisted by Herbert Xu, and will
be changed in the following commit.Cc: David Howells
Cc: keyrings@vger.kernel.org
Signed-off-by: Vitaly Chikunov
Reviewed-by: Denis Kenzior
Signed-off-by: Herbert Xu
26 Oct, 2018
3 commits
-
Implement the encrypt, decrypt and sign operations for the software
asymmetric key subtype. This mostly involves offloading the call to the
crypto layer.Note that the decrypt and sign operations require a private key to be
supplied. Encrypt (and also verify) will work with either a public or a
private key. A public key can be supplied with an X.509 certificate and a
private key can be supplied using a PKCS#8 blob:# j=`openssl pkcs8 -in ~/pkcs7/firmwarekey2.priv -topk8 -nocrypt -outform DER | keyctl padd asymmetric foo @s`
# keyctl pkey_query $j - enc=pkcs1
key_size=4096
max_data_size=512
max_sig_size=512
max_enc_size=512
max_dec_size=512
encrypt=y
decrypt=y
sign=y
verify=y
# keyctl pkey_encrypt $j 0 data enc=pkcs1 >/tmp/enc
# keyctl pkey_decrypt $j 0 /tmp/enc enc=pkcs1 >/tmp/dec
# cmp data /tmp/dec
# keyctl pkey_sign $j 0 data enc=pkcs1 hash=sha1 >/tmp/sig
# keyctl pkey_verify $j 0 data /tmp/sig enc=pkcs1 hash=sha1
#Signed-off-by: David Howells
Tested-by: Marcel Holtmann
Reviewed-by: Marcel Holtmann
Reviewed-by: Denis Kenzior
Tested-by: Denis Kenzior
Signed-off-by: James Morris -
Put a flag in the public_key struct to indicate if the structure is holding
a private key. The private key must be held ASN.1 encoded in the format
specified in RFC 3447 A.1.2. This is the form required by crypto/rsa.c.The software encryption subtype's verification and query functions then
need to select the appropriate crypto function to set the key.Signed-off-by: David Howells
Tested-by: Marcel Holtmann
Reviewed-by: Marcel Holtmann
Reviewed-by: Denis Kenzior
Tested-by: Denis Kenzior
Signed-off-by: James Morris -
Provide a query function for the software public key implementation. This
permits information about such a key to be obtained using
query_asymmetric_key() or KEYCTL_PKEY_QUERY.Signed-off-by: David Howells
Tested-by: Marcel Holtmann
Reviewed-by: Marcel Holtmann
Reviewed-by: Denis Kenzior
Tested-by: Denis Kenzior
Signed-off-by: James Morris
22 Feb, 2018
1 commit
-
The X.509 parser mishandles the case where the certificate's signature's
hash algorithm is not available in the crypto API. In this case,
x509_get_sig_params() doesn't allocate the cert->sig->digest buffer;
this part seems to be intentional. However,
public_key_verify_signature() is still called via
x509_check_for_self_signed(), which triggers the 'BUG_ON(!sig->digest)'.Fix this by making public_key_verify_signature() return -ENOPKG if the
hash buffer has not been allocated.Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled:
openssl req -new -sha512 -x509 -batch -nodes -outform der \
| keyctl padd asymmetric desc @sFixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier")
Reported-by: Paolo Valente
Cc: Paolo Valente
Cc: # v4.7+
Signed-off-by: Eric Biggers
Signed-off-by: David Howells
08 Dec, 2017
1 commit
-
In public_key_verify_signature(), if akcipher_request_alloc() fails, we
return -ENOMEM. But that error code was set 25 lines above, and by
accident someone could easily insert new code in between that assigns to
'ret', which would introduce a signature verification bypass. Make the
code clearer by moving the -ENOMEM down to where it is used.Additionally, the callers of public_key_verify_signature() only consider
a negative return value to be an error. This means that if any positive
return value is accidentally introduced deeper in the call stack (e.g.
'return EBADMSG' instead of 'return -EBADMSG' somewhere in RSA),
signature verification will be bypassed. Make things more robust by
having public_key_verify_signature() warn about positive errors and
translate them into -EINVAL.Signed-off-by: Eric Biggers
Signed-off-by: David Howells
16 Nov, 2017
1 commit
-
Set the module licence to prevent the kernel from being tainted if loaded
as a module.Reported-by: Randy Dunlap
Signed-off-by: David Howells
03 Nov, 2017
1 commit
-
public_key_verify_signature() is starting an async crypto op and
waiting for it to complete. Move it over to generic code doing
the same.Signed-off-by: Gilad Ben-Yossef
Signed-off-by: Herbert Xu
23 May, 2017
1 commit
-
public_key_verify_signature() was passing the CRYPTO_TFM_REQ_MAY_BACKLOG
flag to akcipher_request_set_callback() but was not handling correctly
the case where a -EBUSY error could be returned from the call to
crypto_akcipher_verify() if backlog was used, possibly casuing
data corruption due to use-after-free of buffers.Resolve this by handling -EBUSY correctly.
Signed-off-by: Gilad Ben-Yossef
CC: stable@vger.kernel.org
Signed-off-by: Herbert Xu
14 Dec, 2016
1 commit
-
In function public_key_verify_signature(), returns variable ret on
error paths. When the call to kmalloc() fails, the value of ret is 0,
and it is not set to an errno before returning. This patch fixes the
bug.Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188891
Signed-off-by: Pan Bian
Signed-off-by: David Howells
Signed-off-by: Herbert Xu
06 Apr, 2016
1 commit
-
Allow authentication data to be stored in an asymmetric key in the 4th
element of the key payload and provide a way for it to be destroyed.For the public key subtype, this will be a public_key_signature struct.
Signed-off-by: David Howells
04 Mar, 2016
2 commits
-
Make the identifier public key and digest algorithm fields text instead of
enum.Signed-off-by: David Howells
Acked-by: Herbert Xu -
Move the RSA EMSA-PKCS1-v1_5 encoding from the asymmetric-key public_key
subtype to the rsa crypto module's pkcs1pad template. This means that the
public_key subtype no longer has any dependencies on public key type.To make this work, the following changes have been made:
(1) The rsa pkcs1pad template is now used for RSA keys. This strips off the
padding and returns just the message hash.(2) In a previous patch, the pkcs1pad template gained an optional second
parameter that, if given, specifies the hash used. We now give this,
and pkcs1pad checks the encoded message E(M) for the EMSA-PKCS1-v1_5
encoding and verifies that the correct digest OID is present.(3) The crypto driver in crypto/asymmetric_keys/rsa.c is now reduced to
something that doesn't care about what the encryption actually does
and and has been merged into public_key.c.(4) CONFIG_PUBLIC_KEY_ALGO_RSA is gone. Module signing must set
CONFIG_CRYPTO_RSA=y instead.Thoughts:
(*) Should the encoding style (eg. raw, EMSA-PKCS1-v1_5) also be passed to
the padding template? Should there be multiple padding templates
registered that share most of the code?Signed-off-by: David Howells
Signed-off-by: Tadeusz Struk
Acked-by: Herbert Xu
10 Feb, 2016
1 commit
-
This patch converts the module verification code to the new akcipher API.
Signed-off-by: Tadeusz Struk
Acked-by: Herbert Xu
Signed-off-by: David Howells
21 Oct, 2015
1 commit
-
Merge the type-specific data with the payload data into one four-word chunk
as it seems pointless to keep them separate.Use user_key_payload() for accessing the payloads of overloaded
user-defined keys.Signed-off-by: David Howells
cc: linux-cifs@vger.kernel.org
cc: ecryptfs@vger.kernel.org
cc: linux-ext4@vger.kernel.org
cc: linux-f2fs-devel@lists.sourceforge.net
cc: linux-nfs@vger.kernel.org
cc: ceph-devel@vger.kernel.org
cc: linux-ima-devel@lists.sourceforge.net
13 Aug, 2015
1 commit
-
Add a name for PKEY_ID_PKCS7 into the pkey_id_type_name array.
Signed-off-by: David Howells
03 Sep, 2014
1 commit
-
The length of the name of an asymmetric key subtype must be stored in struct
asymmetric_key_subtype::name_len so that it can be matched by a search for
":". Fix the public_key subtype to have
name_len set.Signed-off-by: David Howells
Signed-off-by: James Morris
26 Oct, 2013
1 commit
-
This patch makes use of the newly defined common hash algorithm info,
replacing, for example, PKEY_HASH with HASH_ALGO.Changelog:
- Lindent fixes - MimiCC: David Howells
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
26 Sep, 2013
1 commit
-
Modify public_key_verify_signature() so that it now takes a public_key struct
rather than a key struct and supply a wrapper that takes a key struct. The
wrapper is then used by the asymmetric key subtype and the modified function is
used by X.509 self-signature checking and can be used by other things also.Signed-off-by: David Howells
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer
25 Sep, 2013
2 commits
-
Move the public-key algorithm pointer array from x509_public_key.c to
public_key.c as it isn't X.509 specific.Note that to make this configure correctly, the public key part must be
dependent on the RSA module rather than the other way round. This needs a
further patch to make use of the crypto module loading stuff rather than using
a fixed table.Signed-off-by: David Howells
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer -
Rename the arrays of public key parameters (public key algorithm names, hash
algorithm names and ID type names) so that the array name ends in "_name".Signed-off-by: David Howells
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer
08 Oct, 2012
1 commit
-
Add a subtype for supporting asymmetric public-key encryption algorithms such
as DSA (FIPS-186) and RSA (PKCS#1 / RFC1337).Signed-off-by: David Howells
Signed-off-by: Rusty Russell